Some compliance and security regulation frameworks require that your organization has certain policies in place. To assist in the process of creating new policies, your KCM GRC account offers policy templates that you can download and customize for your organization.
KCM GRC's policy templates are designed to incorporate some of the Security and Privacy Controls for Information Systems and Organizations, as defined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5. NIST SP 800-53 is a collection of security standards and guidelines that are collectively referred to as "controls". The NIST SP 800-53 controls were originally created for federal information systems, but this collection of controls has become a common standard that organizations use to become compliant with many regulating frameworks. To learn more about these NIST controls, you can find the official publication here: NIST SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations.
See the sections below to learn more about KCM GRC's policy templates.
The Policy Templates Page
To see the templates that KCM GRC has to offer, navigate to the Policy Templates page in your account. From the navigation panel, click Policy Management > Policy Templates.
For more information, see the details of the Policy Templates page outlined below.
- Name: This column displays the name of the policy template.
- Created Date: This column displays the date that the policy was added to the KCM GRC system.
-
Updated Date: This column displays the date that the policy was last updated by KCM GRC.
- KCM GRC will only update policy templates when a change occurs that constitutes an update. For example, if NIST redefines the controls found in SP 800-53, our policy templates will be updated as necessary. If updates are made to the templates, the Updated Date column will show the date that changes were made. The updated templates will also be noted on the KCM GRC Change Log.
- Click the cloud icon in this column to download the policy template.
- The policy template will download to your machine as a DOCX file. Files with the DOCX file extension can be opened and edited in most word processing software, including Google Docs and Microsoft Word version 2007 and later.
See the next section to learn more about the policy templates that are available in your account.
Policy Templates
The table below contains descriptions of the policy templates that you can find in your account.
| Policy Name | Description |
| Acceptable Use Policy |
This policy is an agreement between the user and the organization. This policy outlines the appropriate use of the organization's assets and network, including what users may and may not do when accessing the network. This policy would typically be acknowledged and implemented by all users in an organization. |
| Audit Policy |
This policy defines the security and system events that an organization should monitor, record, and review. Establishing an effective audit policy can help the organization spot security problems, ensure user accountability, and provide evidence in the event of a security breach. This policy would typically be acknowledged and implemented by an organization's IT department. |
| Change Management Policy |
This policy defines the process for making changes to the information resources in an organization. This process can help an organization minimize unplanned outages and unexpected system issues, and it can help the organization plan for these events accordingly. An effective change management process includes planning and monitoring, as well as communication, rollback, and follow-up procedures to reduce the negative effects that the change may cause for your users. This policy would typically be acknowledged and implemented by an organization's IT department. |
| Configuration Management Policy |
This policy defines the baseline configuration that laptops, desktops, systems, and other assets must have to maintain the integrity, confidentiality, and availability of these assets. This policy can help an organization ensure that each of its assets is tracked and maintained securely and correctly throughout the asset's life cycle. This policy would typically be acknowledged and implemented by an organization's IT department. |
| Contingency Planning Policy |
This policy defines the processes, procedures, plans, and analyses that should be included in an organization's contingency plan. Establishing an effective contingency plan can enable the organization to return to its normal operations as quickly as possible after an unexpected event. This policy would typically be acknowledged and implemented by an organization's IT department. |
| Data Classification and Handling Policy |
This policy defines the categories of data that an organization handles and the controls that are required to protect the organization's data. Data is classified based on the organization's business needs and legal requirements. This policy would typically be acknowledged and implemented by an organization's IT department. |
|
Data Disposal Policy |
This policy defines procedures for destroying or overwriting all devices and media that an organization no longer uses. This policy would typically be acknowledged by all users in an organization and implemented by the organization's IT, HR, legal, and finance departments. |
| Identification and Authentication Policy |
This policy defines how only properly identified and authenticated users and devices should be granted access to an organization's information resources. All access to the organization's information resources should comply with the organization's security policies, standards, and procedures. This policy would typically be acknowledged and implemented by all users in an organization. |
| Incident Response Policy |
This policy defines procedures for information security incidents that involve an organization. These procedures include incident handling, reporting, and monitoring, as well as incident response training, testing, and assistance. This policy would typically be acknowledged and implemented by an organization's IT department. |
| Malware Policy |
This policy defines procedures for an organization's anti-virus software and malware protection for the organization's users and systems. This policy can help to ensure the organization's systems and other devices are secure and being used correctly. This policy would typically be acknowledged and implemented by an organization's IT department. |
| Media Protection Policy |
This policy defines procedures for protecting an organization's sensitive information when storing, transporting, and disposing of digital and non-digital devices and media. This policy would typically be acknowledged and implemented by an organization's IT department. |
| Mobile Device Policy |
This policy defines procedures and protocols for connecting and using mobile devices on an organization's network. This policy would typically be acknowledged and implemented by all users in an organization. |
| Personnel Security Policy |
This policy defines procedures for hiring, training, and terminating members of an organization, according to the organization's information security program. This policy would typically be acknowledged and implemented by an organization's IT and HR departments. |
| Physical and Environmental Policy |
This policy defines procedures for protecting an organization's information assets by using physical and environmental controls. These controls should prevent tampering, damage, theft, or unauthorized physical access to information assets. This policy would typically be acknowledged and implemented by an organization's IT department. |
|
Record Retention Policy |
This policy establishes a retention schedule for an organization’s records and aims to ensure that the organization properly protects and preserves its essential records and documents. This policy also establishes a process for records that an organization is no longer required to keep or records that are no longer beneficial, and it ensures that the organization disposes of the records as soon as possible. This policy would typically be acknowledged and implemented by an organization's legal and HR departments. |
| Risk Assessment Policy |
This policy defines procedures for protecting business assets and members of an organization while the organization conducts risk assessments. This policy would typically be acknowledged and implemented by members of the organization who are involved in risk assessment efforts. |
| Risk Management Policy |
This policy defines procedures for protecting business assets and members of an organization while the organization manages risks. This policy would typically be acknowledged and implemented by members of the organization who are involved in risk assessment and management efforts. |
|
Security Awareness Training and Testing Policy |
This policy specifies an organization’s internal information security awareness and training program. The program should inform and assess all members of the organization regarding their information security responsibilities. This policy would typically be acknowledged and implemented by all users in an organization. |
| System Integrity Policy |
This policy establishes and defines the process of implementing system and information integrity controls. These controls can be used to maintain the confidentiality, integrity, and availability of an organization's systems, including the data that is transmitted, processed, received, and stored on those systems. This policy would typically be acknowledged and implemented by an organization's IT department. |
| Third-Party Risk Management Policy |
This policy establishes the process of addressing security risks that are related to third-party relationships. This policy is designed to help an organization use a third-party process based on information security and due diligence. This policy would typically be acknowledged and implemented by members or an organization who are involved with third-party provider relationships, such as the IT, legal, integrations, and procurement departments. |
| User Access Policy |
This policy defines procedures and protocols for protecting and controlling access to an organization's information and assets. This policy would typically be acknowledged and implemented by an organization's IT department. |
Customizing Policy Templates
After you download a policy template, you can customize the policy so that it applies to your organization. On the first page of each policy template, you can find an overview of the sections that the policy template includes, as well as placeholders that you should edit.
For information about the sections and customizable placeholders in policy templates, see the subsections below.
Header, Logo, and Table
The beginning of each policy template contains a header, logo placeholder, and table.
In this section, you should edit the placeholders and fill out the fields that are listed below:
- [[policy_title]] [[version]]: You can edit this text to document the policy's title and version number for the policy. This header is included on all pages of the policy template.
- [[LOGO]]: If you would like, you can replace this text with your organization's logo. If you would not like to include your logo, you can remove this placeholder from the policy.
- Policy Owner: In this field, you can enter the name of the person who customized the policy or who is responsible for updating the policy.
- Effective Date: In this field, you can enter the date that this policy was first enforced or will be enforced for your organization.
- Revised Date: In this field, you can enter the date that this policy was last updated by a member of your organization.
Purpose, Scope, and Policy
The body of each policy template contains the Purpose, Scope, and Policy sections. The Purpose section describes the purpose of the policy, and the Scope section describes the assets, areas, and people that the policy applies to. The Policy section includes the entire policy.
In these sections, you should edit the placeholders that are listed below:
- [[Organization_Name]]: You can replace all instances of this placeholder with the name of your organization.
- [[organization-defined action...]]: This placeholder includes examples of actions. You. can replace this placeholder with the action that applies to your organization.
- [[INCLUDE ITEM f. ONLY AS APPROPRIATE FOR THE ORGANIZATION]]: This placeholder is next to items that may not apply to your organization. You can review each item that this placeholder is next to, and either include or remove the item in your policy, depending on whether it applies to your organization. If you remove an item that does not apply to your organization, you should also remove the placeholder next to the item.
References
After the Policy section, each policy template contains a References section. This section includes a list of the NIST SP 800-53 controls that are addressed in the policy.
To learn more about NIST SP 800-53 controls, see the or refer to the official publication, NIST SP 800-53 Revision 5 Security and Privacy Controls for Information Systems and Organizations.
Policy History
After the References section, each policy template contains a Policy History section. You can use this section to track the revisions that your organization makes to the policy.
In this section, you should replace the placeholders with information about your policy updates. 